Nonprofit research organization MITRE has released the latest version of its ATT&CK framework, adding support for threat information affecting Apple's MacOS and containers, while also allowing more data sources and relationships. 

The release is one of two updates to the popular framework due out this year, with another planned for October. The two most major changes are better support for both the MacOS and containers and the adoption of more flexible ways of specifying the necessary data to describe each threat technique. The release includes 16 new groups, 67 new pieces of software, and updates to 36 other groups and 51 software entries, according to MITRE.

The goal is to make the framework more functional, based on specific feedback from its community of users, says Adam Pennington, ATT&CK lead at MITRE.

"People look at ATT&CK as a way to map out and plan their defenses," he says. "We are seeing it used as a way for people to either start from a specific area — such as an adversary that they are worried about or some subset of an attack, and take a look at what their stance is in relation to each of those behaviors — or perhaps as a way to plan out behavioral analytics."

In a blog published Thursday, the research organization stated that the update is designed to better connect offensive techniques with potential defensive actions. The intent is to tag every technique in the ATT&CK framework with "defensive-focused fields [and] properties as a way to help defenders detect and respond to attacks.

The company had described the improvements in its road map for 2021, published in March. The organization stated there would be no major structural adjustments; instead, MITRE plans to make improvements across the framework. 

"Our chief focus will be on enhancing and enriching content across the ATT&CK platforms and technical domains," MITRE stated in its road map. "We'll be making incremental updates to core concepts, such as Software and Groups, and working towards a more structured contributions process, while maintaining a biannual release tempo, scheduled for April and October."

A major initiative in the latest version is to allow better data to be collected on specific threat descriptions included in the ATT&CK framework. The idea is to tell defenders specifically what data they need to collect to best detect attackers and determine which techniques they are using. MITRE reviewed all the different data sources and components and remapped them where necessary.

"The material that people see today is not going to undergo another drastic change. We are just going to be adding more context behind it," Pennington says. "It's about getting a better idea of — with their various collection mechanisms, SIEMs, sensors, whatever — what do they need to be looking for to understand an adversary's behavior."

The ATT&CK framework now also includes more MacOS-specific threats and mappings, he says. Techniques and data specific to Linux-based systems will arrive with the next update in October. 

"We spend a lot of time on Windows, as do adversaries," Pennington says. "For Linux, we hear a lot going on with containers, but we don't see a ton of detail in what is going on. The same with Mac. We hear from people there is a lot of activity going on, and we are beginning to incorporate that into ATT&CK."

MITRE has also brought together the threats, techniques, and data sources for cloud platforms into consolidated groups, such as the infrastructure-as-a-service (IaaS) platform as part of the broader Cloud Service Providers category. In addition, software-as-a-service (SaaS) offerings Office 365 and Google Workspace are not included, so defenders can map adversary behaviors.

The company continues to make modifications based on feedback. In October, the company will release more support for mobile threats and defenses, as well as update the approach to threats that affect industrial control systems.

In the future, ATT&CK will also incorporate container technologies. MITRE has already released ATT&CK for Containers matrix and will be incorporating feedback for future releases, the organization says.

Editor's note: This article was updated to correct an error regarding when Linux will be explicitly supported in the ATT&CK framework. Linux support is planned for October.